Despite years of open source fans claiming that “many eyes make all bugs shallow” there are far too few security researchers actually auditing these projects. And even fewer making their work public. That’s why it’s nice to see a post like this that describes an interesting bug. On June 26th Lab Mouse Security published a nice write up of a 20 year old integer overflow vulnerability in a widely used LZO implementation written by Markus Oberhumer.
When I see something like this and a patch is released, I like to investigate the code to look for additional issues. Auditing source code for vulnerabilitis is hard and bugs like to travel in groups. Even professional auditors miss vulnerabilities and trying to prove that there are no security vulnerabilities in a certain piece of code is essentially impossible.
more here.........http://blog.lekkertech.net/blog/2014/07/02/LZO-on-integer-overflows-and-auditing/
When I see something like this and a patch is released, I like to investigate the code to look for additional issues. Auditing source code for vulnerabilitis is hard and bugs like to travel in groups. Even professional auditors miss vulnerabilities and trying to prove that there are no security vulnerabilities in a certain piece of code is essentially impossible.
more here.........http://blog.lekkertech.net/blog/2014/07/02/LZO-on-integer-overflows-and-auditing/